A whopping 91% of cyberattacks and the resulting data breach begin with a "spear phishing" email, according to recent research from security software firm Trend Micro. This conclusively shows that end-users really are the weak link in IT security.

You may have asked yourself what it takes to send a spear phishing attack. This is not trivial, and can only be done by someone trained in advanced hacking techniques. We will first take a look at the steps required to send a spear phishing attack, and then we'll look at steps to mitigate this threat. For the (simplified) attack steps I am freely borrowing from a great blog post by Brandon McCann, a pentester at Accuvant Labs which is a business partner of ours.

I will try to keep this as non-technical as possible, but there will be a few terms you may have to look up. Here are the steps to begin with, don't fall asleep! We will go into all of these one by one and explain what they mean.- Identify Email Addresses
- Antivirus Evasion
- Egress Filtering
- Spear Phishing Scenario
- Sending The Spear Phishing Emails
- Harvesting Treasure

Identify Email Addresses

There are two ways you can send phishing campaigns: the first is 'spray-and-pray' which is a shotgun approach. Get as many email addresses from the organization you target, and send them all an email that they might click on. The second approach is decide what data you are after, then figure out who has access to that data, and specifically target those people. That is the spear phishing approach, and for instance LinkedIn is extremely useful during this targeting step.

There are several ways to get your hands on the email addresses from an organization. The one favored by the bad guys is using scripts to harvest email addresses from the large search engines. You'd be surprised how many emails you can get your hands on and how big your phishing attack surface is. KnowBe4 has a free service called the Email Exposure Check that provides your list of exposed email addresses as a one-time free service. Once you have the email addresses of the few people you are targeting you are ready for step two.

Antivirus Evasion

It's obvious that if you want to arrive in the inbox of your target, you need to make sure that your email is not caught by the antivirus software that your target uses. Do your homework and research the IT job sites for open system admin positions at your target. The amount of information you find there is often astounding and tells you exactly what antivirus and which version they use. Otherwise social media provides many other ways to find out, and once you know, set up a test bed, install that AV and make sure your spear phishing email comes through OK. You can use Metasploit to help you with this, it is an open source computer security project which provides information about security vulnerabilities and aids in penetration testing.

Egress Filtering

You need to make sure that you can get the information out of the organization you are attacking, so the payload you are sending with your attack needs to allow traffic to exit the organization. A popular payload is called 'reverse_https' because it creates an encrypted tunnel back to the metasploit server, which makes it very hard for security software like intrusion detection or firewalls to detect anything. For those products your exiting phishing data all looks like normal https traffic.

Spear Phishing Scenario

There are many articles written about this by now, and it's the essence of social engineering end-users. If they haven't had high-quality security awareness training they are easy targets for spear phishers. The attacker does research on their targets, find out who they regularly communicate with, and sends a personalized email to the target that uses one or more of the 22 Social Engineering Red Flags to make the target click on a link or open an attachment. Just imagine you get an email from the email address of your significant other that has in the subject line: Honey, I had a little accident with the car, and in the body: I made some pictures with my smart phone, do you think this is going to be very expensive?"

Sending The Spear Phishing Emails

You can raise a temporary mail server and blast away, but that mail server will not have a reputation score which will block a lot of email from getting in. A better solution is going to GoDaddy, purchase a valid domain name, use the free email server that comes with the domain and set it up, so that you automatically have an MX record created for you by GoDaddy. While you are at it, also do a Whois lookup and change the GoDaddy Whois information for your phishing domain. All that helps mail getting through, which you can send with any email client, or with a script.

Harvesting Treasure

Let's assume that your target clicked on the link, and you were able to place a keylogger on their machine. Now it's a matter of waiting for the hourly burst of keyboard data back to your server, and monitoring for the credentials you are after. Once you have those, it's a matter of getting into the workstation, get all network password hashes, crack them and get elevated to administrator access to the whole network.

Preventing Successful Spear Phishing Attacks

Now, how to mitigate against attacks like this? First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. Make sure you have in place the following: an Email Gateway Spam Filter and/or a spam filter in your Exchange Server. Turn on the Outlook ‘Junk Email’ Filter, run different antivirus products on the workstation and the mailserver, have an active Intrusion Prevention Systems, use Web Proxy Servers, and ideally have deep-packet inspection Egress filtering, plus there are some more things you could add. The trick is to make it as hard as possible for the attacker to get through.

And now let's look at some other tactics that will help prevent a successful spear phishing attack:
- Do not have a list of all email addresses of all employees on your website, use a web form instead.
- Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your end-user's user name and password on a crime- or porn site.
- Enlighten your users about the dangers of leaving all kinds of personal information on social media sites.
- Last but not least, you could go through all the steps above and start sending simulated spear phishing attacks to all your end users, but why not use our fully automated service and let us help you with that? We provide security awareness training combined with pre- and post simulated phishing testing to make sure end users stay on their toes with security top of mind. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!

6 Replies

This person is a verified professional.

I thought Spear - Phishing was when you send user an innocent mail, but send it late on a Friday, thge system will check it, determine it to be safe / innicious and pass it through

THEN you recall it and add the payload

Stu Sjouwerman wrote:

You may have asked yourself what it takes to send a spear phishing attack. This is not trivial, and can ONLY be done by someone trained in ADVANCED hacking techniques.

I would really like to think this is true, but fear that it has all been automated away nowadays, with people easily able to 'research' any business onliine, you could quite easily set up a production line of attacks in waiting, with one team doing the footprinting, and another setting the payloads with yet a another testing access

it only takes ONE to get through, so just like the government v terrorism

Wow what an article. Articles like these only serve the companies that write them, to sell their product! FUD (Fear, Uncertainty, Doubt)

I mean "You may have asked yourself what it takes to send a spear phishing attack. This is not trivial, and can only be done by someone trained in advanced hacking techniques." Really? Without even going into the whole definition of a hacker, bit, this quote alone is solid gold FUD!

Uhhm I hate to say it, but you don't need to be a "super ninja elite black hat hacker" to be able to sit down and write an email with a malicious link in it! A mastery of the target language perhaps, an ability to play into the psyche of the target(s) and perhaps a good spell checker, and of course a malicious link are needed however. Kids can do this.

Further I personally find it insulting that someone would start writing a piece, and then tell readers, "don't fall asleep", and "there may be a few terms you have to look up"! How about if I read your piece, then I stayed awake, and if I need to look something up, I will be the judge of that!

Funny how this whole piece, looks like it was intended for a C-level briefing, (with all the buzz words) instead of a community of computer professionals. While granted those professionals can't know everything, about everything, if you can't see the desire to scare people, into buying something then all the egress filters, and spam rules in the world aren't gonna save your data!

The internet is full of the same types of pieces as above, from the last 10 years, which is telling that not only are the people writing this drivel not effectively combating anything other than personal poverty, but that the entire process is a joke.
Until C levels take security as serious as their profit margins, and the computing industry as a whole does the same, then things will always be a cat and mouse game.

Sorry for coming across as a bit scathing, and harsh, but I call it like I see it.

are5944, you'd be surprised how many IT Pros don't get the concepts mentioned above, or feel that it won't happen to them. To us, it's more of preaching to the choir. To them, it's a much-needed wake up call.

There's 3 main ways of getting management interested in security.

1. They naturally want to be secure. (This is rare.)
2. They are talked/shocked into being interested. (This is the most effective. FUD can help here.)
3. Something bad happens, and in the aftermath, management wants to prevent a repeat. (Not a healthy idea for the business. )

are5944, you'd be surprised how many IT Pros don't get the concepts mentioned above, or feel that it won't happen to them. To us, it's more of preaching to the choir. To them, it's a much-needed wake up call.

There's 3 main ways of getting management interested in security.

1. They naturally want to be secure. (This is rare.)
2. They are talked/shocked into being interested. (This is the most effective. FUD can help here.)
3. Something bad happens, and in the aftermath, management wants to prevent a repeat. (Not a healthy idea for the business. )

The only problem with #3 is that part of the "management solution" will be blame. And since all management is brilliant, it must be IT's fault.

2

This topic has been locked by an administrator and is no longer open for commenting.